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DETAILED ACTION 

Claims 1-28, 31 , 33, 40, and 45 are pending. 

Response to Arguments 

Applicant's arguments submitted on 2/6/09 were considered, but were not 
persuasive. Applicant argues that the present invention in claim 1 states that the 
"second key" is transmitted after computing the authentication code and this feature is 
not taught by Peyravian. The examiner respectfully submits that this feature being 
argued by applicant is not recited in any of the pending claims, including representative 
claim 1. The closest limitation found in representative claim 1 states: "transmitting said 
second key and said authentication code from said responder to an initiator using a first 
communication channel, after computing said authentication code...". 

This limitation as written appears to state that the transmission of the second key 
and said authentication code is done after computing said authentication code. There 
is nothing recited which prohibits the second key from being transmitted before the 
authentication code was computed, as long as the authentication code also was not 
transmitted before computing it. Since it is impossible to transmit something prior to it 
being computed, it is impossible that both the second key and the authentication code 
were transmitted before computing the authentication code. Peyravian meets the 
limitation under contention as it is currently written since the second key (i.e. PW) and 
the authentication code (i.e. HASH(ARGs)) are not both sent until after the 
authentication code is computed. 
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Note that claim limitations are addressed as they are written not how applicant 
may have intended to have written them. The prior rejections are repeated below for 
record. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1-6, 8-11, 14-18, 20-28, 33, and 40 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Peyravian et al (US 2004/0158715) in view of Matyas, Jr. et 
al (US 5,953,420). 
Claim 1: 

Peyravian discloses: 

1 . Computing an authentication code (i.e. HASH(ARGs)) using a first key (i.e. Dsor 
PKs) and a second key (i.e. PW) within said responder (Fig 1, steps 140-155). 
The server is considered the responder. Note that PW is used to create Ds, 
which in turn is used to create ARGs, which is used in a hash function to create 
an authentication code. 
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2. Transmitting said second key and said authentication code from said responder 
to an initiator, after computing said authentication code (paragraph 33 and Fig 1, 
steps 105 and 155-165). 

3. Transmitting said first key from said responder to said initiator (Fig 1 , steps 160- 
1 65). Note that the first key (TJs or PKsJ is sent from the server to the client as 
part ofEXTs. 

4. Computing a verification code (i.e. HASH(ARGs')) using said first key and said 
second key within said initiator (Fig 1, step 120 and Fig 2, steps 210 and 215). 
Note that Dc, which is used to calculate the verification code is calculated from 
PW, thus the verification code is computed using the first key (Ds or PKs) and the 
second key (PW). 

5. Comparing said verification code with said authentication code (Fig 2, step 220). 

6. Authenticating said responder as a correct communication partner if said 
comparing checks out (Fig 2, step 220-225). 

7. Wherein said second key is a secret key (paragraph 22). 



Peyravian does not explicitly disclose the transmitting of the second key and 
authentication code is using a first communication channel, wherein said first 
communication channel is a secure channel. Peyravian also does not explicitly disclose 
the transmitting of the first key is using a second communication channel. 

However, note that Peyravian's invention utilizes a Diffie-Hellman key exchange 
(abstract), which exchanges public keys between an initiator and a responder 
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(paragraphs 17-32; Fig 1, steps 150-155; and Fig 2, steps 210-215). Matyas discloses 
that Diffie-Hellman schemes were vulnerable to a man-in-the-middle type attack (col 2, 
line 6-12 and col 4, lines 19-23). Matyas discloses using a secure channel in 
combination with an unsecured channel to solve this vulnerability (Fig 4 and col 4, lines 
24-67). 

At the time applicant's invention was made, it would have been obvious to one 
skilled in the art to modify Peyravian's invention using Matyas's teachings such that the 
first key (i.e. Dsor PKs) was transmitted using a second/non-secure channel while 
everything else (including the second key/PW and authentication code/HASH(ARGs)) 
was transmitted using a first secured/authenticated communication channel. 

One skilled would have been motivated to utilize a first secure communication 
channel to transmit the second key, i.e. PW, and the authentication code, i.e. 
HASH(ARGs), because it would reduce the chances of a man-in-the-middle attack that 
Diffie-Hellman key exchanges are vulnerable to. One skilled would have been 
motivated to use a second/nonsecure channel to transmit the first/public key of 
Peyravian because one skilled in the art would appreciate that there is no need to keep 
public keys secure and transmitting via a non-secure channel is less costly in 
computational resources than using a secure channel. Note that Matyas's invention, 
even though it makes use of both a secured and non-secured channel, still prefers to 
use a non-secured channel to exchange the public key since it offers higher speed and 
is less costly (col 4, lines 64-67 and col 7, lines 30-33). As such, it would have been 
obvious to one of ordinary skill in the art to utilize a nonsecure channel to send the 
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public key while using a secure channel to send all other values in Peyravian and 
Matyas's combination invention. 
Claim 2: 

Peyravian further discloses wherein the first key is generated within said 
responder (Fig 1, step 140). 
Claim 3: 

Peyravian further discloses wherein the second key is generated within said 
responder (paragraph 33). 
Claim 4: 

As per the limitation of wherein in the transmitting of said second key and said 
authentication code, said second key and said authentication code are transmitted via a 
confidential or authenticated communication channel or both, it is obvious to the 
combination invention of Peyravian and Matyas because it was established already in 
claim 1 that it would have been obvious to transmit said second key and said 
authentication code via a secure channel to prevent man-in-the-middle attacks. The 
secure channel disclosed by Matyas is a confidential or authenticated communication 
channel (col 4, lines 37-56). 
Claim 5: 

As per the limitation of wherein in the transmitting of said first key, said first key is 
transmitted via an open channel, it is obvious to the combination invention of Peyravian 
and Matyas because it was established already in claim 1 that it would have been 
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obvious to transmit said first key via a nonsecure channel since there is no need to 
secure a public key. A nonsecure channel is an open channel. 
Claim 6: 

As per claim 6, Peyravian further discloses wherein said second key is 
composed of a first part and a second part and wherein said first part is used for 
computing said authentication code and said second part is used for calculating an 
authentication value (paragraph 33 and Fig 1, steps 140-155). 

A person skilled in the art should appreciate that a password, which the examiner 
is considering the second key, is typically composed of several characters. As one can 
divide these characters in several ways, it is composed of a first and second part. Note 
that as recited, the limitation further recited in claim 6 does not prohibit that the second 
part also be used in computing the authentication code and the first part also be used in 
calculating the authentication value, and because the whole password (PW) is used to 
compute an authentication code (HASH(ARGs)) and an authentication value ARGs, said 
first part is used for computing said authentication code and said second part is used for 
calculating an authentication value. 
Claim 8: 

Peyravian further discloses wherein said authentication code and said verification 
code are computed using an algorithm to compute a shored message authentication 
code (Fig 1, step 155 and Fig 2, step 215). A hash is a short message authentication 
code. 
Claim 9: 
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Peyravian does not explicitly disclose wherein if the comparison of the 
authentication code and the verification code yields a difference, said initiator requests 
said responder to retransmit said first key. However, official notice is taken that asking 
a responder to retransmit a key if authentication fails was well known in the art. At the 
time applicant's invention was made, it would have been obvious to one skilled in the art 
to further modify Peyravian's invention according to the limitations recited in claim 9. 
One skilled would have been motivated to do so because it is common practice in the 
art to let a responder know if authentication failed and to try resubmitting an 
authentication code in case the last transmission was an unintentional mistake. 
Claim 10: 

Peyravian further discloses calculating an authentication value within said 
initiator using said second key (Fig 1, step 120 and Fig 2, steps 210 and 215). PW is 
used to generate Dc, which is used to generate ARGs', which is considered the 
authentication value. 
Claim 11: 

Peyravian further discloses wherein said authentication code is calculated using 
a pseudo random, i.e. hash, function (Fig 1, step 155). 
Claim 14: 

Claim 14 is substantially similar to what is recited in claim 1 and is rejected for 
similar reasons given therein. The difference is that claim 14 recites a raw public key 
for the first key of claim 1 . However, note that the first key disclosed by Peyravian is a 
raw public key, i.e. i.e. Dsor PKs, (Fig 1, steps 104 and150-155 and paragraph 19). 
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Claim 14 also recites that the raw public key was transmitted within an encrypted 
certification payload and extracting said raw public key from said encrypted certification 
payload. However, note that Peyravian discloses the raw public key being transmitted 
within an encrypted certificate payload, i.e. EXTs (Fig 1, steps 160-165). EXTs contains 
the encrypted value HASH(ARGs), thus EXTs can be considered an encrypted 
certificate payload. Figure 2, steps 200-210 discloses both Dsand PKs, either of which 
could be considered the raw public key, being used by the client, which means the client 
extracted the raw public key from the encrypted certificate payload. 
Claims 15-18: 

Claims 15-18 recite limitations similar to what is recited in claims 2-3 and 6 
respectively and are rejected for similar reasons given therein. 
Claim 20: 

Claim 20 recites limitations similar to what is recited in claim 5 and is rejected for 
similar reasons. The difference is that claim 20 refers to the first key of claim 5 as the 
raw public key. However, as discussed in claim 14, Peyravian discloses the first key 
being the raw public key. 
Claims 21-22: 

Claims 21-22 recite limitations similar to what is recited in claims 8-9 and are 
rejected for similar reasons given therein. 
Claim 23: 

Peyravian further discloses wherein in further steps for communicating the 
second key is used for authenticating the initiator to the responder (paragraph 39). 
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Claim 24: 

As per claim 24, the limitation that the computing of an authentication code and 
the transmitting of said second key and said authentication code utilize pre- 
authentication message is obvious to the combination teachings of Peyravian and 
Matyas. As discussed in the rejection of claim 1, the combination invention utilizes 
trusted communication channel wherein any messages transmitted using the trusted 
channel is assumed to be authenticate, thus pre-authentication has occurred. Since at 
least some of the messages used to transmit the values used to compute the 
authentication code (i.e. HASH(ARGs)) is transmitted using the trusted channel, those 
messages can be said to be pre-authenticated. Likewise, the messages used to 
transmit the second key (i.e. PW) and authentication code can be said to be pre- 
authenticated messages due to use of the trusted channel for transmission of those 
messages. As per the limitation of wherein the transmitting of said first key and the 
using of said authentication values utilize internet key exchange protocol, these values 
are transmitted in Peyravian's invention as part of a key exchanging, thus by definition 
utilize internet key exchange protocol. 
Claim 25: 

Claim 25 is directed towards a system comprising a responder and initiator with 
means for implementing the method of claim 1 and is rejected for similar reasons as 
claim 1 . The server of Peyravian is considered a responder and the client is considered 
the initiator. 
Claim 26: 
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Claim 26 is directed towards system with a generating means for implementing 
the method of claims 2 and 3 and is rejected for similar reasons given therein. 
Claim 27: 

Claim 27 is directed towards system with a first transmission system for 
implementing the method of claim 4 and is rejected for similar reasons given therein. 
Claim 28: 

Claim 28 is directed towards system with a second transmission means for 
implementing the method of claim 5 and is rejected for similar reasons given therein. 
Claim 33: 

Claim 33 is directed towards a computer readable medium with a computer 
program with instructions stored thereon with instructions operable to cause a processor 
to implement the method of claim 1 and is reject for the same reasons given in claim 1 . 
Claim 40: 

Peyravian does not explicitly disclose wherein the communication is also secured 
by said initiator requesting said responder to retransmit said first key if the comparison 
of authentication code and verification code yields a difference. However, official notice 
is taken that the limitation was well known in the art. It would have been obvious to one 
skilled in the art to further modify Peyravian's invention according to the limitations 
recited in claim 40. One skilled would have been motivated to do so because it is 
traditional in the art to notify the initiator of an authentication request to retransmit 
whatever is needed to authenticate the initiator if a first attempt to authenticate the 
initiator failed due to an unintentional error. In the case of the combination invention of 
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Peyravian and Matyas, the first key is used in the authentication protocol, thus the 
initiator would request that the responder retransmit at least the first key. 



Claims 7, 12-13, 19, and 31 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Peyravian et al (US 2004/0158715) in view of Matyas, Jr. et al (US 
5,953,420) and further in view of Eskicioglu (US 2002/0087865). 
Claim 7: 

Peyravian implicitly discloses wherein said first part is an empty string (paragraph 
22). A password is a series of characters, thus one can consider an empty string as 
being the first part of a password. 

Peyravian does not explicitly disclose wherein said authentication code is 
calculated as an unkeyed hash code. However, Eskicioglu discloses that unkeyed hash 
codes where a hash code is generated without use of a key was well known in the art at 
the time applicant's invention was made (paragraph 12). It would have been obvious to 
one skilled in the art to further modify Peyravian's invention such that the authentication 
code was calculated as an unkeyed hash code. One skilled would have been motivated 
to do so because unkeyed hash codes would be useful for providing proof of data 
integrity, which is one of the most important objectives of information security 
(paragraph 4). A further rationale for why it would have been obvious to modify 
Peyravian's invention such that it used an unkeyed hash code instead of a keyed one is 
that doing so is nothing more than simple substitution of one known hashing element for 



Application/Control Number: 10/677,642 Page 13 

Art Unit: 2435 

another to obtain a predictable result. In this case, the type of hash obtained is 

predictable. 

Claim 12: 

Peyravian does note explicitly disclose said authentication value for 
authenticating messages that have been transmitted from said initiator to said 
responder, or vice versa. However, Eskicioglu discloses use of an authentication value 
for authenticating messages that have been transmitted from said initiator to said 
responder, or vice versa (paragraph 6). At the time applicant's invention was made, it 
would have been obvious to one of ordinary skill in the art to further modify Peyravian's 
invention according to the limitations recited in claim 12. One skilled would have been 
motivated to do so because data authentication is one of the most important objectives 
of information security (Eskicioglu: paragraph 4). 
Claim 13: 

As per claim 13, the limitation that the computing of an authentication code and 
the transmitting of said second key and said authentication code utilize pre- 
authentication message is obvious to the combination teachings of Peyravian and 
Matyas. As discussed in the rejection of claim 1, the combination invention utilizes 
trusted communication channel wherein any messages transmitted using the trusted 
channel is assumed to be authenticate, thus pre-authentication has occurred. Since at 
least some of the messages used to transmit the values used to compute the 
authentication code (i.e. HASH(ARGs)) is transmitted using the trusted channel, those 
messages can be said to be pre-authenticated. Likewise, the messages used to 
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transmit the second key (i.e. PW) and authentication code can be said to be pre- 
authenticated messages due to use of the trusted channel for transmission of those 
messages. As per the limitation of wherein the transmitting of said first key and the 
using of said authentication values utilize internet key exchange protocol, these values 
are transmitted in Peyravian's invention as part of a key exchanging, thus by definition 
utilize internet key exchange protocol. 
Claim 19: 

Claim 7 recite limitations similar to what is recited in claim 7 and is rejected for 
similar reasons given therein. 
Claim 31: 

Claim 31 is directed towards a system comprising operating means for 
implementing the method of claim 13, thus is rejected for similar reasons given therein. 



Claim 45 is are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Peyravian et al (US 2004/0158715) in view of Matyas, Jr. et al (US 5,953,420) in further 
view of Gehrmann (US 7,284,127). 
Claim 45: 

Peyravian discloses wherein said computing the authentication code (i.e. 
HASH(ARGs)) and said computing the verification code (i.e. HASH(ARGs')) both use a 
message authentication code function (Fig 1, step 155 and Fig 2, step 215). 
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Peyravian does not disclose the message authentication code function is a 
function of only two variables, said two variables being the first and the second key. 
However, Gehrmann discloses a message authentication code function that only uses 
two variable, a first and second key (col 7, lines 30-32). Note that in Peyravian's 
invention public key PKs was considered a first key while a password PW was 
considered a second key. In Gehrmann's invention cited, public key X can be 
considered equivalent to PKs of Peyravian and secret string K can be considered 
equivalent to Peyravian's password PW. 

At the time applicant's invention was made, it would have been obvious to one 
skilled in the art to further modify Peyravian's invention using Gehrmann's teachings by 
replacing the message authentication code function used by Peyravian with the one 
used by Gehrmann such that the message authentication code function is a function of 
only two variables, said two variables being the first and the second key. The rationale 
for why it would have been obvious is that doing so would be nothing more than simple 
substitution of one known element for another (which performs a similar functionality) to 
obtain predictable results. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 
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A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to PONNOREAY PICH whose telephone number is 
(571)272-7962. The examiner can normally be reached on 9:00am-4:30pm Mon-Thurs. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/Ponnoreay Pich/ 
Examiner, Art Unit 2435 



